From 033dd10dbdd9c6e5bb021ade5376bb3399160c6c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 1 May 2026 14:29:18 +0200 Subject: [PATCH] 5.15-stable patches added patches: drm-arcpgu-fix-device-node-leak.patch ipv4-icmp-validate-reply-type-before-using-icmp_pointers.patch libceph-prevent-potential-null-ptr-deref-in-ceph_handle_auth_reply.patch net-rds-fix-mr-cleanup-on-copy-error.patch net-smc-avoid-early-lgr-access-in-smc_clc_wait_msg.patch power-supply-axp288_charger-do-not-cancel-work-before-initializing-it.patch rdma-rxe-validate-pad-and-icrc-before-payload_size-in-rxe_rcv.patch tpm-avoid-wunused-but-set-variable.patch --- .../drm-arcpgu-fix-device-node-leak.patch | 39 +++++++++ ...eply-type-before-using-icmp_pointers.patch | 54 ++++++++++++ ...-ptr-deref-in-ceph_handle_auth_reply.patch | 42 ++++++++++ ...net-rds-fix-mr-cleanup-on-copy-error.patch | 47 +++++++++++ ...early-lgr-access-in-smc_clc_wait_msg.patch | 49 +++++++++++ ...t-cancel-work-before-initializing-it.patch | 83 +++++++++++++++++++ ...-icrc-before-payload_size-in-rxe_rcv.patch | 51 ++++++++++++ queue-5.15/series | 8 ++ .../tpm-avoid-wunused-but-set-variable.patch | 52 ++++++++++++ 9 files changed, 425 insertions(+) create mode 100644 queue-5.15/drm-arcpgu-fix-device-node-leak.patch create mode 100644 queue-5.15/ipv4-icmp-validate-reply-type-before-using-icmp_pointers.patch create mode 100644 queue-5.15/libceph-prevent-potential-null-ptr-deref-in-ceph_handle_auth_reply.patch create mode 100644 queue-5.15/net-rds-fix-mr-cleanup-on-copy-error.patch create mode 100644 queue-5.15/net-smc-avoid-early-lgr-access-in-smc_clc_wait_msg.patch create mode 100644 queue-5.15/power-supply-axp288_charger-do-not-cancel-work-before-initializing-it.patch create mode 100644 queue-5.15/rdma-rxe-validate-pad-and-icrc-before-payload_size-in-rxe_rcv.patch create mode 100644 queue-5.15/tpm-avoid-wunused-but-set-variable.patch diff --git a/queue-5.15/drm-arcpgu-fix-device-node-leak.patch b/queue-5.15/drm-arcpgu-fix-device-node-leak.patch new file mode 100644 index 0000000000..9707ab1c52 --- /dev/null +++ b/queue-5.15/drm-arcpgu-fix-device-node-leak.patch @@ -0,0 +1,39 @@ +From ad3ac32a3893a2bbcad545efc005a8e4e7ecf10c Mon Sep 17 00:00:00 2001 +From: Luca Ceresoli +Date: Thu, 2 Apr 2026 18:42:20 +0200 +Subject: drm/arcpgu: fix device node leak + +From: Luca Ceresoli + +commit ad3ac32a3893a2bbcad545efc005a8e4e7ecf10c upstream. + +This function gets a device_node reference via +of_graph_get_remote_port_parent() and stores it in encoder_node, but never +puts that reference. Add it. + +There used to be a of_node_put(encoder_node) but it has been removed by +mistake during a rework in commit 3ea66a794fdc ("drm/arc: Inline +arcpgu_drm_hdmi_init"). + +Fixes: 3ea66a794fdc ("drm/arc: Inline arcpgu_drm_hdmi_init") +Cc: stable@vger.kernel.org +Reviewed-by: Louis Chauvet +Link: https://patch.msgid.link/20260402-drm-arcgpu-fix-device-node-leak-v2-1-d773cf754ae5@bootlin.com +Signed-off-by: Luca Ceresoli +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/tiny/arcpgu.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/tiny/arcpgu.c ++++ b/drivers/gpu/drm/tiny/arcpgu.c +@@ -245,7 +245,8 @@ DEFINE_DRM_GEM_CMA_FOPS(arcpgu_drm_ops); + static int arcpgu_load(struct arcpgu_drm_private *arcpgu) + { + struct platform_device *pdev = to_platform_device(arcpgu->drm.dev); +- struct device_node *encoder_node = NULL, *endpoint_node = NULL; ++ struct device_node *encoder_node __free(device_node) = NULL; ++ struct device_node *endpoint_node = NULL; + struct drm_connector *connector = NULL; + struct drm_device *drm = &arcpgu->drm; + struct resource *res; diff --git a/queue-5.15/ipv4-icmp-validate-reply-type-before-using-icmp_pointers.patch b/queue-5.15/ipv4-icmp-validate-reply-type-before-using-icmp_pointers.patch new file mode 100644 index 0000000000..e311529d19 --- /dev/null +++ b/queue-5.15/ipv4-icmp-validate-reply-type-before-using-icmp_pointers.patch @@ -0,0 +1,54 @@ +From 67bf002a2d7387a6312138210d0bd06e3cf4879b Mon Sep 17 00:00:00 2001 +From: Ruide Cao +Date: Tue, 21 Apr 2026 12:16:31 +0800 +Subject: ipv4: icmp: validate reply type before using icmp_pointers + +From: Ruide Cao + +commit 67bf002a2d7387a6312138210d0bd06e3cf4879b upstream. + +Extended echo replies use ICMP_EXT_ECHOREPLY as the outbound reply type. +That value is outside the range covered by icmp_pointers[], which only +describes the traditional ICMP types up to NR_ICMP_TYPES. + +Avoid consulting icmp_pointers[] for reply types outside that range, and +use array_index_nospec() for the remaining in-range lookup. Normal ICMP +replies keep their existing behavior unchanged. + +Fixes: d329ea5bd884 ("icmp: add response to RFC 8335 PROBE messages") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Xin Liu +Signed-off-by: Ruide Cao +Signed-off-by: Ren Wei +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/0dace90c01a5978e829ca741ef684dbd7304ce62.1776628519.git.caoruide123@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/icmp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ipv4/icmp.c ++++ b/net/ipv4/icmp.c +@@ -64,6 +64,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -361,7 +362,9 @@ static int icmp_glue_bits(void *from, ch + to, len); + + skb->csum = csum_block_add(skb->csum, csum, odd); +- if (icmp_pointers[icmp_param->data.icmph.type].error) ++ if (icmp_param->data.icmph.type <= NR_ICMP_TYPES && ++ icmp_pointers[array_index_nospec(icmp_param->data.icmph.type, ++ NR_ICMP_TYPES + 1)].error) + nf_ct_attach(skb, icmp_param->skb); + return 0; + } diff --git a/queue-5.15/libceph-prevent-potential-null-ptr-deref-in-ceph_handle_auth_reply.patch b/queue-5.15/libceph-prevent-potential-null-ptr-deref-in-ceph_handle_auth_reply.patch new file mode 100644 index 0000000000..4478ef4b51 --- /dev/null +++ b/queue-5.15/libceph-prevent-potential-null-ptr-deref-in-ceph_handle_auth_reply.patch @@ -0,0 +1,42 @@ +From 5199c125d25aeae8615c4fc31652cc0fe624338e Mon Sep 17 00:00:00 2001 +From: Raphael Zimmer +Date: Wed, 18 Mar 2026 18:09:03 +0100 +Subject: libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply() + +From: Raphael Zimmer + +commit 5199c125d25aeae8615c4fc31652cc0fe624338e upstream. + +If a message of type CEPH_MSG_AUTH_REPLY contains a zero value for both +protocol and result, this is currently not treated as an error. In case +of ac->negotiating == true and ac->protocol > 0, this leads to setting +ac->protocol = 0 and ac->ops = NULL. Thereafter, the check for +ac->protocol != protocol returns false, and init_protocol() is not +called. Subsequently, ac->ops->handle_reply() is called, which leads to +a null pointer dereference, because ac->ops is still NULL. + +This patch changes the check for ac->protocol != protocol to +!ac->protocol, as this also includes the case when the protocol was set +to zero in the message. This causes the message to be treated as +containing a bad auth protocol. + +Cc: stable@vger.kernel.org +Signed-off-by: Raphael Zimmer +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/auth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ceph/auth.c ++++ b/net/ceph/auth.c +@@ -245,7 +245,7 @@ int ceph_handle_auth_reply(struct ceph_a + ac->protocol = 0; + ac->ops = NULL; + } +- if (ac->protocol != protocol) { ++ if (!ac->protocol) { + ret = init_protocol(ac, protocol); + if (ret) { + pr_err("auth protocol '%s' init failed: %d\n", diff --git a/queue-5.15/net-rds-fix-mr-cleanup-on-copy-error.patch b/queue-5.15/net-rds-fix-mr-cleanup-on-copy-error.patch new file mode 100644 index 0000000000..e582b58ea9 --- /dev/null +++ b/queue-5.15/net-rds-fix-mr-cleanup-on-copy-error.patch @@ -0,0 +1,47 @@ +From 8141a2dc70080eda1aedc0389ed2db2b292af5bd Mon Sep 17 00:00:00 2001 +From: Ao Zhou +Date: Wed, 22 Apr 2026 22:52:07 +0800 +Subject: net: rds: fix MR cleanup on copy error + +From: Ao Zhou + +commit 8141a2dc70080eda1aedc0389ed2db2b292af5bd upstream. + +__rds_rdma_map() hands sg/pages ownership to the transport after +get_mr() succeeds. If copying the generated cookie back to user space +fails after that point, the error path must not free those resources +again before dropping the MR reference. + +Remove the duplicate unpin/free from the put_user() failure branch so +that MR teardown is handled only through the existing final cleanup +path. + +Fixes: 0d4597c8c5ab ("net/rds: Track user mapped pages through special API") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Xin Liu +Signed-off-by: Ao Zhou +Signed-off-by: Ren Wei +Reviewed-by: Allison Henderson +Link: https://patch.msgid.link/79c8ef73ec8e5844d71038983940cc2943099baf.1776764247.git.draw51280@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/rdma.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/net/rds/rdma.c ++++ b/net/rds/rdma.c +@@ -326,10 +326,6 @@ static int __rds_rdma_map(struct rds_soc + + if (args->cookie_addr && + put_user(cookie, (u64 __user *)(unsigned long)args->cookie_addr)) { +- if (!need_odp) { +- unpin_user_pages(pages, nr_pages); +- kfree(sg); +- } + ret = -EFAULT; + goto out; + } diff --git a/queue-5.15/net-smc-avoid-early-lgr-access-in-smc_clc_wait_msg.patch b/queue-5.15/net-smc-avoid-early-lgr-access-in-smc_clc_wait_msg.patch new file mode 100644 index 0000000000..0de36050fd --- /dev/null +++ b/queue-5.15/net-smc-avoid-early-lgr-access-in-smc_clc_wait_msg.patch @@ -0,0 +1,49 @@ +From 5a8db80f721deee8e916c2cfdee78decda02ce4f Mon Sep 17 00:00:00 2001 +From: Ruijie Li +Date: Wed, 22 Apr 2026 23:40:18 +0800 +Subject: net/smc: avoid early lgr access in smc_clc_wait_msg + +From: Ruijie Li + +commit 5a8db80f721deee8e916c2cfdee78decda02ce4f upstream. + +A CLC decline can be received while the handshake is still in an early +stage, before the connection has been associated with a link group. + +The decline handling in smc_clc_wait_msg() updates link-group level sync +state for first-contact declines, but that state only exists after link +group setup has completed. Guard the link-group update accordingly and +keep the per-socket peer diagnosis handling unchanged. + +This preserves the existing sync_err handling for established link-group +contexts and avoids touching link-group state before it is available. + +Fixes: 0cfdd8f92cac ("smc: connection and link group creation") +Cc: stable@kernel.org +Reported-by: Yuan Tan +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Reported-by: Xin Liu +Signed-off-by: Ruijie Li +Signed-off-by: Ren Wei +Reviewed-by: Dust Li +Link: https://patch.msgid.link/08c68a5c817acf198cce63d22517e232e8d60718.1776850759.git.ruijieli51@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/smc_clc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/smc/smc_clc.c ++++ b/net/smc/smc_clc.c +@@ -440,8 +440,8 @@ int smc_clc_wait_msg(struct smc_sock *sm + dclc = (struct smc_clc_msg_decline *)clcm; + reason_code = SMC_CLC_DECL_PEERDECL; + smc->peer_diagnosis = ntohl(dclc->peer_diagnosis); +- if (((struct smc_clc_msg_decline *)buf)->hdr.typev2 & +- SMC_FIRST_CONTACT_MASK) { ++ if ((dclc->hdr.typev2 & SMC_FIRST_CONTACT_MASK) && ++ smc->conn.lgr) { + smc->conn.lgr->sync_err = 1; + smc_lgr_terminate_sched(smc->conn.lgr); + } diff --git a/queue-5.15/power-supply-axp288_charger-do-not-cancel-work-before-initializing-it.patch b/queue-5.15/power-supply-axp288_charger-do-not-cancel-work-before-initializing-it.patch new file mode 100644 index 0000000000..afc37b38d0 --- /dev/null +++ b/queue-5.15/power-supply-axp288_charger-do-not-cancel-work-before-initializing-it.patch @@ -0,0 +1,83 @@ +From 658342fd75b582cbb06544d513171c3d645faead Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Fri, 20 Feb 2026 18:49:39 +0100 +Subject: power: supply: axp288_charger: Do not cancel work before initializing it + +From: Krzysztof Kozlowski + +commit 658342fd75b582cbb06544d513171c3d645faead upstream. + +Driver registered devm handler to cancel_work_sync() before even the +work was initialized, thus leading to possible warning from +kernel/workqueue.c on (!work->func) check, if the error path was hit +before the initialization happened. + +Use devm_work_autocancel() on each work item independently, which +handles the initialization and handler to cancel work. + +Fixes: 165c2357744e ("power: supply: axp288_charger: Properly stop work on probe-error / remove") +Cc: stable@vger.kernel.org +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Hans de Goede +Reviewed-by: Chen-Yu Tsai +Link: https://patch.msgid.link/20260220174938.672883-5-krzysztof.kozlowski@oss.qualcomm.com +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/axp288_charger.c | 19 ++++++++----------- + 1 file changed, 8 insertions(+), 11 deletions(-) + +--- a/drivers/power/supply/axp288_charger.c ++++ b/drivers/power/supply/axp288_charger.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -796,14 +797,6 @@ static int charger_init_hw_regs(struct a + return 0; + } + +-static void axp288_charger_cancel_work(void *data) +-{ +- struct axp288_chrg_info *info = data; +- +- cancel_work_sync(&info->otg.work); +- cancel_work_sync(&info->cable.work); +-} +- + static int axp288_charger_probe(struct platform_device *pdev) + { + int ret, i, pirq; +@@ -867,12 +860,12 @@ static int axp288_charger_probe(struct p + } + + /* Cancel our work on cleanup, register this before the notifiers */ +- ret = devm_add_action(dev, axp288_charger_cancel_work, info); ++ ret = devm_work_autocancel(dev, &info->cable.work, ++ axp288_charger_extcon_evt_worker); + if (ret) + return ret; + + /* Register for extcon notification */ +- INIT_WORK(&info->cable.work, axp288_charger_extcon_evt_worker); + info->cable.nb.notifier_call = axp288_charger_handle_cable_evt; + ret = devm_extcon_register_notifier_all(dev, info->cable.edev, + &info->cable.nb); +@@ -882,8 +875,12 @@ static int axp288_charger_probe(struct p + } + schedule_work(&info->cable.work); + ++ ret = devm_work_autocancel(dev, &info->otg.work, ++ axp288_charger_otg_evt_worker); ++ if (ret) ++ return ret; ++ + /* Register for OTG notification */ +- INIT_WORK(&info->otg.work, axp288_charger_otg_evt_worker); + info->otg.id_nb.notifier_call = axp288_charger_handle_otg_evt; + if (info->otg.cable) { + ret = devm_extcon_register_notifier(dev, info->otg.cable, diff --git a/queue-5.15/rdma-rxe-validate-pad-and-icrc-before-payload_size-in-rxe_rcv.patch b/queue-5.15/rdma-rxe-validate-pad-and-icrc-before-payload_size-in-rxe_rcv.patch new file mode 100644 index 0000000000..96b940e3e8 --- /dev/null +++ b/queue-5.15/rdma-rxe-validate-pad-and-icrc-before-payload_size-in-rxe_rcv.patch @@ -0,0 +1,51 @@ +From 7244491dab347f648e661da96dc0febadd9daec3 Mon Sep 17 00:00:00 2001 +From: hkbinbin +Date: Wed, 1 Apr 2026 12:19:07 +0000 +Subject: RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv + +From: hkbinbin + +commit 7244491dab347f648e661da96dc0febadd9daec3 upstream. + +rxe_rcv() currently checks only that the incoming packet is at least +header_size(pkt) bytes long before payload_size() is used. + +However, payload_size() subtracts both the attacker-controlled BTH pad +field and RXE_ICRC_SIZE from pkt->paylen: + + payload_size = pkt->paylen - offset[RXE_PAYLOAD] - bth_pad(pkt) + - RXE_ICRC_SIZE + +This means a short packet can still make payload_size() underflow even +if it includes enough bytes for the fixed headers. Simply requiring +header_size(pkt) + RXE_ICRC_SIZE is not sufficient either, because a +packet with a forged non-zero BTH pad can still leave payload_size() +negative and pass an underflowed value to later receive-path users. + +Fix this by validating pkt->paylen against the full minimum length +required by payload_size(): header_size(pkt) + bth_pad(pkt) + +RXE_ICRC_SIZE. + +Cc: stable@vger.kernel.org +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://patch.msgid.link/r/20260401121907.1468366-1-hkbinbinbin@gmail.com +Signed-off-by: hkbinbin +Reviewed-by: Zhu Yanjun +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/sw/rxe/rxe_recv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/sw/rxe/rxe_recv.c ++++ b/drivers/infiniband/sw/rxe/rxe_recv.c +@@ -375,7 +375,8 @@ void rxe_rcv(struct sk_buff *skb) + pkt->qp = NULL; + pkt->mask |= rxe_opcode[pkt->opcode].mask; + +- if (unlikely(skb->len < header_size(pkt))) ++ if (unlikely(pkt->paylen < header_size(pkt) + bth_pad(pkt) + ++ RXE_ICRC_SIZE)) + goto drop; + + err = hdr_check(pkt); diff --git a/queue-5.15/series b/queue-5.15/series index 59309f3305..19eb6afdb2 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -218,3 +218,11 @@ alsa-caiaq-fix-control_put-result-and-cache-rollback.patch alsa-caiaq-handle-probe-errors-properly.patch alsa-6fire-fix-input-volume-change-detection.patch iio-adc-ad7768-1-fix-one-shot-mode-data-acquisition.patch +net-rds-fix-mr-cleanup-on-copy-error.patch +net-smc-avoid-early-lgr-access-in-smc_clc_wait_msg.patch +drm-arcpgu-fix-device-node-leak.patch +rdma-rxe-validate-pad-and-icrc-before-payload_size-in-rxe_rcv.patch +ipv4-icmp-validate-reply-type-before-using-icmp_pointers.patch +libceph-prevent-potential-null-ptr-deref-in-ceph_handle_auth_reply.patch +tpm-avoid-wunused-but-set-variable.patch +power-supply-axp288_charger-do-not-cancel-work-before-initializing-it.patch diff --git a/queue-5.15/tpm-avoid-wunused-but-set-variable.patch b/queue-5.15/tpm-avoid-wunused-but-set-variable.patch new file mode 100644 index 0000000000..253987a829 --- /dev/null +++ b/queue-5.15/tpm-avoid-wunused-but-set-variable.patch @@ -0,0 +1,52 @@ +From 6f1d4d2ecfcd1b577dc87350ea965fe81f272e83 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 22 Mar 2024 14:22:48 +0100 +Subject: tpm: avoid -Wunused-but-set-variable + +From: Arnd Bergmann + +commit 6f1d4d2ecfcd1b577dc87350ea965fe81f272e83 upstream. + +Outside of the EFI tpm code, the TPM_MEMREMAP()/TPM_MEMUNMAP functions are +defined as trivial macros, leading to the mapping_size variable ending +up unused: + +In file included from drivers/char/tpm/tpm-sysfs.c:16: +In file included from drivers/char/tpm/tpm.h:28: +include/linux/tpm_eventlog.h:167:6: error: variable 'mapping_size' set but not used [-Werror,-Wunused-but-set-variable] + 167 | int mapping_size; + +Turn the stubs into inline functions to avoid this warning. + +Cc: stable@vger.kernel.org # v5.3+ +Fixes: c46f3405692d ("tpm: Reserve the TPM final events table") +Signed-off-by: Arnd Bergmann +Reviewed-by: Thorsten Blum +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/tpm_eventlog.h | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/include/linux/tpm_eventlog.h ++++ b/include/linux/tpm_eventlog.h +@@ -131,11 +131,16 @@ struct tcg_algorithm_info { + }; + + #ifndef TPM_MEMREMAP +-#define TPM_MEMREMAP(start, size) NULL ++static inline void *TPM_MEMREMAP(unsigned long start, size_t size) ++{ ++ return NULL; ++} + #endif + + #ifndef TPM_MEMUNMAP +-#define TPM_MEMUNMAP(start, size) do{} while(0) ++static inline void TPM_MEMUNMAP(void *mapping, size_t size) ++{ ++} + #endif + + /** -- 2.47.3